Windows Server 2008 R2 and Windows 7 include a feature known as DirectAccess that is designed to be a next generation
alternative to VPN connections.
Even though DirectAccess has been around for a while now, it is a feature that is easy to overlook because Microsoft has marketed it primarily as a convenience feature for end users. DirectAccess frees users from having to manually attach to a VPN. Instead, users are automatically connected to the corporate network without having to do anything to initiate the connection other than opening a Web browser.
This is a nice feature, but there is more to DirectAccess than that: it can actually improve your organization’s security.
Client Computer Enforcement
One of the big drawbacks to traditional VPN connections is that it is difficult to control how the end user connects to the VPN. Any user with basic computer skills can configure a connection to your corporate VPN. He might configure such a connection on a corporate laptop, a home computer, a friend’s computer, or even a public kiosk.
The problem with this is that the computer that the user connects from could be running an outdated operating system that has never had any security patches applied. The computer could potentially be infected with malware or have any number of other problems.
Microsoft previously addressed some of these issues by designing the Windows Server 2008 Network Policy Server in a way that allows for system health validation. System health validation allows you to perform a few basic health checks on VPN clients before allowing them to connect to your main network segment. For example, the Network Policy Server can check to make sure that the Windows Firewall is enabled on the client computer.
System health validation helps to improve security and it can (and should) be used in conjunction with DirectAccess, but health validation alone will only accomplish so much. Users could still potentially connect to the VPN from any computer that complies with the minimal health requirements that you establish. When you consider that corporate data could potentially be stored or cached on such a machine you can begin to understand the importance of controlling which computers users connect from. This is especially true if your organization is subject to regulatory compliance.
DirectAccess solves this problem in a couple of different ways. First, DirectAccess only works with Windows 7, so there is no danger of someone establishing a DirectAccess connection with an outdated Windows XP machine. More importantly, DirectAccess requires mutual authentication between the client computer and the DirectAccess server. This authentication process is certificate based, which means that unless a client computer has been provisioned with the required certificate it cannot establish a DirectAccess connection.
Client Computer Maintenance
Another way DirectAccess can help to improve security is by making client computer maintenance easier. Previously if an administrator wanted to apply security patches or antivirus updates to a client computer he had to wait either until the user brought the computer into the office or until the user connected to the VPN. In the case of DirectAccess however, if the user is connected to the network then he automatically establishes a DirectAccess connection, which makes it possible to keep the computer updated even if the user isn’t logged in.
There are unfounded claims that DirectAccess actually reduces security by performing automatic authentication. The concern is that if a DirectAccess-enabled laptop were stolen then the laptop would provide the thief with an open door to the corporate network. However, this simply is not the way DirectAccess works.
In any Windows domain network there are two types of authentication that occur – user authentication and computer authentication. When Windows automatically establishes a DirectAccess connection it is performing computer authentication. This allows policies and updates to be applied to the computer, but it does nothing to provide the user with access to corporate resources. The user is still required to authenticate by either entering his username and password or by performing smart card authentication.
Additional Client Restrictions
Only client computers running Windows 7 and have been provisioned with the required certificate are able to establish a DirectAccess connection. What would stop a user from copying the computer certificate to another computer and then establishing a DirectAccess connection from an unauthorized machine?
DirectAccess provides full control over which machines can establish a DirectAccess connection. Not only do the client computers require a special certificate, but they must also be domain joined and be members of a security group that has been given the right to connect through DirectAccess. As such, the only computers that can establish DirectAccess connectivity are the ones that you authorize.
ABOUT THE AUTHOR
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. He writes regularly for TechTarget sites.